With the current variety of Windows 10 endpoints, such as laptops, hybrids, tablets, and smartphones, you see organizations moving to Unified Endpoint Management (UEM) solutions to provide endpoint security to different types of devices that are not managed by traditional management tools. Users will work from endpoints that show both private and corporate characteristics on how applications and data are used, delivered, and secured. Users want native applications installable from a public or enterprise store to do their work. Enterprises need transparency from their users to protect these native applications and data from any network to which they are connecting. Microsoft CSP provides MDM/UEM commands to manage and secure these Windows 10 Endpoints. In addition, you might want a specific set of Enterprise or Public applications to connect securely from within the WIP container to your corporate network.
That’s where this guide comes in.
Currently, XenMobile doesn’t provide the WIP per-app VPN option in the GUI, but the ability to create Custom XML policies for Windows 10 devices in the XenMobile GUI opens the door to use the Microsoft CSP to add this functionality.
There are many additional options you can configure on the per app VPN CSP, but for this example I configured a set of parameters that matches my Microsoft remote access and Network Protection server in my LAB. If you have other type of Layer 2 VPN solution this will also work.
If you want different setting read the entire VPNv2 CSP and adjust to your needs.
Prerequisites
Step | Prerequisites |
1. | Windows 10 Pro or Enterprise Workstation Anniversary Update |
2. | Windows 10 Phone Anniversary Update |
3. | XenMobile 10.6 Server |
4. | Online XML Escape Tool |
5. | XML Editing tool like Notepad++ |
6. | VPN appliance which supports Microsoft OS built in VPN capabilities |
Additional resources
Windows 10 Configuration Service Provider reference |
A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over-the-air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over-the-air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot. |
https://msdn.microsoft.com/en-us/library/windows/hardware/dn920025%28v=vs.85%29.aspx |
Online XML Escape Tool |
Escapes or unescapes an XML file removing traces of offending characters that could be wrongfully interpreted as markup.
The following characters are reserved in XML and must be replaced with their corresponding XML entities:
|
https://www.freeformatter.com/xml-escape.html#ad-output |
To find publisher and product name for Microsoft apps in Windows Store for Business |
1. Go to the Windows Store for Business website, and find your app. For example, Microsoft OneNote.
2. Copy the ID value from the app URL. For example, Microsoft OneNote’s ID URL is https:<\span>//www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you’d copy the ID value, 9wzdncrfhvjl. 3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. Request URI https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata Example result: |
https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp#a-href-idproductnameafind-publisher-and-product-name-of-apps |
Notepad++ |
Download and Install Notepad++ to your Workstation. |
https://notepad-plus-plus.org/ |
Complete Per-AppVPN XML for WIP.xml from this document. |
Download with ShareFile and Edit with Notepad++. |
https://citrix.sharefile.com/d-s4e8e0109d4c46c29 |
Creating a XML template for Win10 Per-App-VPN with WIP intergration
Step | Action |
1. | Make sure you have installed Notepad++ |
2. | Create a new document in Notepad++
|
3. | Save the new document as a file with xml to your desired location
|
4. | Copy the below template XML into your just created XML file.
–TEMPLATE— <Atomic> <CmdID>_cmdid_</CmdID> <Add> <CmdID>_cmdid_</CmdID> <Item> <Target> <LocURI>./Device/Vendor/MSFT/VPNv2/[VPNNAME]</LocURI> </Target> <Data>[CONFIG]</Data> </Item> </Add> </Atomic> —END TEMPLATE— |
5. | It should look like the below result.
|
6. | In your Custom XML file replace the [VPNNAME] with the name you want to call the VPN this name needs to be constantly used through the branches we are going to configure.
|
7. | In a browser open the CSP provided link in the Additional Resource section and select VPNv2
|
8. | For this custom per app vpn xml to work we need to walk step by step through the CSP tree per object. I will describe this per branch that I will use in my example. |
9. | The VPNv2 CSP can be used on Device or User profile in the examples below I will use device, if you want to use it on the User profile you need to change the ./Device/Vendor/MSFT to ./User/Vendor/MSFT in your entire custom XML file. |
Configure the AppTriggerList parameter
Step | Action |
1. | VPNv2/ProfileName/AppTriggerList
Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect. |
2. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
3. | Add the desktop or UWP applications as desired to the applications trigger list in my example I have used Outlook and the Native Windows Mail client to trigger the VPN. |
4. | Don’t forget to number correctly for each app after the /AppTriggerList. |
5. | See the example below:
|
Configure the DomainNameInformationList parameter/Configure the DomainNameInformationList/DNIROWID/DOMAINNAME parameter
Step | Action |
1. | VPNv2/ProfileName/DomainNameInformationList/DNIROWID/DOMAINNAME
Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. |
2. | In my example, I will only use the DomainName. This is used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. |
3. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
4. | Don’t forget to number correctly for each Domain after the /DomainNameInformationList. |
5. | Example:
|
Configure the DomainNameInformationList/DNIROWID/DnsServers parameter
Step | Action |
1. | VPNv2/ProfileName/DomainNameInformationList/dniRowId/DnsServers
List of comma separated DNS Server IP addresses to use for the namespace. Value type is chr. Supported operations include Get, Add, Replace, and Delete. |
2. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
3. | Don’t forget to number correctly for each Domain after the /DomainNameInformationList. |
4. | Example:
|
Configure the DomainNameInformationList/DNIROWID/AutoTrigger parameter
Step | Action |
1. | VPNv2/ProfileName/DomainNameInformationList/dniRowId/AutoTrigger
Added in Windows 10, version 1607. Optional. Boolean to determine whether this domain name rule will trigger the VPN. If set to False, this DomainName rule will not trigger the VPN. If set to True, this DomainName rule will trigger the VPN By default, this value is false. Value type is bool. Persistent |
2. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
3. | Don’t forget to number correctly for each Domain after the /DomainNameInformationList. |
4. | Example:
|
Configure the EDPModeID parameter
Step | Action |
1. | For using the EDP/WIP applications with the per-app-VPN this is the setting that is required for connecting this VPN with a WIP policy. |
2. | VPNv2/ProfileName/EdpModeId
Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. Additionally when connecting with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect. Value type is chr. Supported operations include Get, Add, Replace, and Delete. |
3. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
4. | Example:
|
Configure the RemeberCredentials parameter
Step | Action |
1. | VPNv2/ProfileName/RememberCredentials
Boolean value (true or false) for caching credentials. Default is false, which means do not cache credentials. If set to true, credentials are cached whenever possible. Supported operations include Get, Add, Replace, and Delete. |
2. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
3. | Example:
|
Configure the TrustedNetworkDetection parameter
Step | Action |
1. | VPNv2/ProfileName/TrustedNetworkDetection
Optional. Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. Value type is chr. Supported operations include Get, Add, Replace, and Delete. |
2. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
3. | Example:
|
Configure the Lockdown parameter
Step | Action |
1. | VPNv2/ProfileName/LockDown
Lockdown profile. Valid values: False (default) – this is not a LockDown profile. True – this is a LockDown profile. When the LockDown profile is turned on, it does the following things: First, it automatically becomes an “always on” profile. Second, it can never be disconnected. Third, if the profile is not connected, then the user has no network. Fourth, no other profiles may be connected or modified. A Lockdown profile must be deleted before you can add, remove, or connect other profiles. Value type is bool. Supported operations include Get, Add, Replace, and Delete. |
2. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
3. | Example:
|
Configure the TrafficFilterList parameter/Configure the TrafficFilterList/trafficFilterId/App/Id parameter
Step | Action |
1. | VPNv2/ProfileName/TrafficFilterList
An optional node that specifies a list of rules. Only traffic that matches these rules can be sent via the VPN Interface. Note Once a TrafficFilterList is added, all traffic are blocked other than the ones matching the rules. When adding multiple rules, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other. |
2. | VPNv2/ProfileName/TrafficFilterList/trafficFilterId/App/Id
App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName – This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application. FilePath – This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM – This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB). Value type is chr. Supported operations include Get, Add, Replace, and Delete. |
3. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
4. | Dont forget to number correctly after the /TrafficFilterList. |
5. | Example:
|
Configure the TrafficFilterList/trafficFilterId/RoutingPolicyType
Step | Action |
1. | VPNv2/ProfileName/TrafficFilterList/trafficFilterId/RoutingPolicyType
Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. The value can be one of the following: SplitTunnel – For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. ForceTunnel – For this traffic rule all IP traffic must go through the VPN Interface only. This is only applicable for App ID based Traffic Filter rules. Value type is chr. Supported operations include Get, Add, Replace, and Delete. |
2. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
3. | Don’t forget to number correctly after the /TrafficFilterList. |
4. | Example:
|
Configure the VPNv2 NativeProfile parameter
Step | Action |
1. | VPNv2/ProfileName/NativeProfile
Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP). |
2. | VPNv2/ProfileName/NativeProfile/Servers
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. Value type is chr. Supported operations include Get, Add, Replace, and Delete. |
3. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
4. | Don’t forget to use the same [ProfileName] through the entire XML file you are creating. |
5. | Example:
|
Configure the VPNv2 NativeProfile/RoutingPolicyType parameter
Step | Action |
1. | VPNv2/ProfileName/NativeProfile/RoutingPolicyType
Optional for native profiles. Type of routing policy. This value can be one of the following: SplitTunnel – Traffic can go over any interface as determined by the networking stack. ForceTunnel – All IP traffic must go over the VPN interface. Value type is chr. Supported operations include Get, Add, Replace, and Delete. |
2. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
3. | Don’t forget to use the same [ProfileName] through the entire XML file you are creating. |
4. | Example:
|
Configure the VPNv2 NativeProfile/NativeProtocolType parameter
Step | Action |
1. | VPNv2/ProfileName/NativeProfile/NativeProtocolType
Required for native profiles. Type of tunneling protocol used. This value can be one of the following: PPTP L2TP IKEv2 Automatic Value type is chr. Supported operations include Get, Add, Replace, and Delete |
2. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
3. | Don’t forget to use the same [ProfileName] through the entire XML file you are creating. |
4. | Example:
|
Configure the VPNv2 NativeProfile/Authentication/UserMethod parameter
Step | Action |
1. | VPNv2/ProfileName/NativeProfile/Authentication
Required node for native profile. It contains authentication information for the native VPN profile. |
2. | VPNv2/ProfileName/NativeProfile/Authentication/UserMethod
This value can be one of the following: EAP MSChapv2 (This is not supported for IKEv2) Value type is chr. Supported operations include Get, Add, Replace, and Delete. |
3. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
4. | Don’t forget to use the same [ProfileName] through the entire XML file you are creating. |
5. | Example:
|
Configure the VPNv2 NativeProfile/Authentication/Eap/Configuration parameter
Step | Action |
1. | VPNv2/ProfileName/NativeProfile/Authentication/Eap/Configuration
HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see EAP configuration. Value type is chr. Supported operations include Get, Add, Replace, and Delete. |
2. | EAP configuration. https://docs.microsoft.com/en-us/windows/client-management/mdm/eap-configuration |
3. E | Escape the EAP configuration XML you got from the PS commands from the howto url in box 2 with the Online Escape HTML website in the Additional resources section. |
4. | You can use the template to copy and paste it as a new value (remember on the end to remove the template from the XML file). |
5. | Add the <Meta> and <Format> after the </Target> and before </Item> in the template you just copied.
Example: |
6. | Copy the escaped xml from the Online Escape Tool between the <Data> </Data>
Example: |
Prepare the XML file for XenMobile Use
Step | Action |
1. | Remove all the comments sections <!– TEXT –> in green within the Notepad++ custom xml file.
Example: |
2. | Remove the Template section you created in the beginning from the XML file. |
3. | Copy all text in the custom XML File and and paste it in the XenMobile 10.6 Administrator GUI within the Device policies, Add, Custom, Custom XML. Attach it to your desired delivery group for deployment.
Example: |
With special thanks to: Allan Kristensen, Christopher Friend, Milind Mohile, Sujit Narayanand development team for review and comments.